Re-add backup/restore plans

Author: timidri

documentation/backup.md

@@ -0,0 +1,74 @@
+# Backup Puppet Enterprise using the PEADM module
+
+## What is being backed up?
+
+By default the `peadm::backup` plan will backup the following items:
+
+1. Orchestrator
+2. PuppetDB
+3. RBAC
+   - Also, It copies the LDAP secret key if it present
+4. Activity
+5. Classification
+
+Optionally you can also backup:
+
+1. CA (CA and SSL certificates)
+
+----
+
+Most of the backups will be a direct copy of the databases with the exception of:
+
+- Classification
+  - The backup is done using an API call
+- CA
+  - The certificate files will be copy via the puppet-backup script.
+
+
+**Note:** 
+
+It is important to highlight that the `peadm::backup` plan's output is different than the one you will get when you backup manually using [the `puppet-backup create` command.](https://puppet.com/docs/pe/latest/backing_up_and_restoring_pe.html#back_up_pe_infrastructure).
+
+The differences between these two backup tools are:
+
+1. The structure of the backup file, since this plan `peadm:backup` uses a combination of scripts, API calls, and DB backups, you will not be able to restore it using the traditional `sudo puppet-backup restore <backup-filename>` command. [To read more about the difference between the options (flags), please read the official PE doc for backing up & restoring.](https://puppet.com/docs/pe/latest/backing_up_and_restoring_pe.html#back_up_pe_infrastructure)
+
+1. The core idea of the `peadm:backup` plan is a focus on being able to separate customers data from the infrastructure data. This contrasts with the PE backup script which is more focused on a traditional backup and restore after a system failure where will be restoring the same infrastructure. It, therefore, targets things like backing up PostgreSQL rather than the actual data you want.
+    - This can be seen when restoring node groups with `peadm:backup` only restores the non-PEinfrastructure source groups and restores them to target.
+
+    - [PE backup](https://puppet.com/docs/pe/latest/backing_up_and_restoring_pe.html#back_up_pe_infrastructure) is not capable of restoring to a DR setup and requires you to provision a new DR setup whereas [`peadm:restore`](restore.md) will reinitialise replicas as part of the process
+
+1. One of the other key differences with the `peadm:backup` is it is compatible with the extra-large (XL) architectures as it can communicate with the remote PostgreSQL server using temporary escalated privileges.
+
+## How can I customize my backup?
+
+We need to pass the `backup` parameter to the `peadm::backup` plan.
+
+**Example**
+
+**Note:** The `peadm::backup` plan can only be executed from the PE primary server.
+
+Let's Backup _only_ RBAC
+
+```
+# backup_params.json
+
+{
+  "backup": {
+    "orchestrator": false,
+    "puppetdb": false,
+    "rbac": true,
+    "activity": false,
+    "ca": false,
+    "classifier": false
+  },
+  "output_directory": "/tmp"
+}
+```
+
+We selected our backup options and the `output_directory` (default `/tmp`).
+
+To run the backup plan with our custom parameters:
+
+    bolt plan run peadm::backup --params @backup_params.json
+

documentation/restore.md

@@ -0,0 +1,46 @@
+# Restore Puppet Enterprise using the PEADM module
+
+Once you have a [backup](backup.md) you can restore a PE primary server. It is important to highlight that you can not use the `peadm::restore` plan with a backup that was not created with the `peadm::backup` plan.
+
+**Things to consider**
+
+There is some downtime involved when the `peadm:restore` plan is executed. The following services will be restarted:
+
+1. pe-console-services
+2. pe-nginx
+3. pxp-agent
+4. pe-puppetserver
+5. pe-orchestration-services
+6. puppet
+7. pe-puppetdb
+
+There is also a procedure related to the restoration of the databases where `peadm::restore` will temporarily set privileges (permissions) to a DB user with the only purpose of restoring the database. These temporary privileges are removed right after the PostgreSQL restore command finishes.
+
+Also, this plan uses internal calls to the `peadm::get_targets` function, this means the plan expects the services to be up and running when you start either a restore or a backup.
+
+## How to use the restore plan?
+
+As in the `peadm::backup` plan, you can choose what you want to restore by specifying the parameter `restore`. The `input_file` parameter refers to the location of the backup tarball.
+
+Example:
+
+**Note:** The `peadm::restore` plan can only be executed from the PE primary server.
+
+```
+# restore_params.json
+
+{
+  "restore": {
+    "orchestrator": false,
+    "puppetdb": false,
+    "rbac": true,
+    "activity": false,
+    "ca": false,
+    "classifier": false,
+  },
+  "input_file": "/tmp/path/backup_tarball.tgz"
+}
+```
+To run the `peadm::restore` plan with our custom parameters file, we can do:
+
+    bolt plan run peadm::restore --params @restore_params.json

plans/backup.pp

@@ -0,0 +1,123 @@
+# @api private
+# @summary Backup the core user settings for puppet infrastructure
+#
+# This plan can backup data as outlined at insert doc
+# 
+plan peadm::backup (
+  # This plan should be run on the primary server
+  Peadm::SingleTargetSpec $targets,
+
+  # Which data to backup
+  Peadm::Recovery_opts    $backup = {},
+
+  # Where to put the backup folder
+  String                  $output_directory = '/tmp',
+) {
+  peadm::assert_supported_bolt_version()
+
+  $recovery_opts = (peadm::recovery_opts_default() + $backup)
+  $cluster = run_task('peadm::get_peadm_config', $targets).first.value
+  $arch = peadm::assert_supported_architecture(
+    getvar('cluster.params.primary_host'),
+    getvar('cluster.params.replica_host'),
+    getvar('cluster.params.primary_postgresql_host'),
+    getvar('cluster.params.replica_postgresql_host'),
+    getvar('cluster.params.compiler_hosts'),
+  )
+
+  $timestamp = Timestamp.new().strftime('%Y-%m-%dT%H%M%SZ')
+  $backup_directory = "${output_directory}/pe-backup-${timestamp}"
+
+  $primary_target = getvar('cluster.params.primary_host')
+  $puppetdb_postgresql_target = getvar('cluster.params.primary_postgresql_host') ? {
+    undef   => getvar('cluster.params.primary_host'),
+    default => getvar('cluster.params.primary_postgresql_host'),
+  }
+
+  $backup_databases = {
+    'orchestrator' => $primary_target,
+    'activity'     => $primary_target,
+    'rbac'         => $primary_target,
+    'puppetdb'     => $puppetdb_postgresql_target,
+  }.filter |$key,$_| {
+    $recovery_opts[$key] == true
+  }
+
+  # Create backup folders
+  apply($primary_target) {
+    file { $backup_directory :
+      ensure => 'directory',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0700',
+    }
+
+    # Create a subdir for each backup type selected
+    $recovery_opts.filter |$_,$val| { $val == true }.each |$dir,$_| {
+      file { "${backup_directory}/${dir}":
+        ensure => 'directory',
+        owner  => 'root',
+        group  => 'root',
+        mode   => '0700',
+      }
+    }
+  }
+
+  if getvar('recovery_opts.classifier') {
+    out::message('# Backing up classification')
+    run_task('peadm::backup_classification', $primary_target,
+      directory => "${backup_directory}/classifier",
+    )
+  }
+
+  if getvar('recovery_opts.ca') {
+    out::message('# Backing up ca and ssl certificates')
+# lint:ignore:strict_indent
+    run_command(@("CMD"), $primary_target)
+      /opt/puppetlabs/bin/puppet-backup create --dir=${shellquote($backup_directory)}/ca --scope=certs
+      | CMD
+  }
+
+  # Check if /etc/puppetlabs/console-services/conf.d/secrets/keys.json exists and if so back it up
+  if getvar('recovery_opts.rbac') {
+    out::message('# Backing up ldap secret key if it exists')
+# lint:ignore:140chars
+    run_command(@("CMD"/L), $primary_target)
+      test -f /etc/puppetlabs/console-services/conf.d/secrets/keys.json \
+        && cp -rp /etc/puppetlabs/console-services/conf.d/secrets ${shellquote($backup_directory)}/rbac/ \
+        || echo secret ldap key doesnt exist
+      | CMD
+# lint:endignore
+  }
+# lint:ignore:140chars
+  # IF backing up orchestrator back up the secrets too /etc/puppetlabs/orchestration-services/conf.d/secrets/
+  if getvar('recovery_opts.orchestrator') {
+    out::message('# Backing up orchestrator secret keys')
+    run_command(@("CMD"), $primary_target)
+      cp -rp /etc/puppetlabs/orchestration-services/conf.d/secrets ${shellquote($backup_directory)}/orchestrator/ 
+      | CMD
+  }
+# lint:endignore
+  $backup_databases.each |$name,$database_target| {
+    run_command(@("CMD"/L), $primary_target)
+      /opt/puppetlabs/server/bin/pg_dump -Fd -Z3 -j4 \
+        -f ${shellquote($backup_directory)}/${shellquote($name)}/pe-${shellquote($name)}.dump.d \
+        "sslmode=verify-ca \
+         host=${shellquote($database_target.peadm::certname())} \
+         user=pe-${shellquote($name)} \
+         sslcert=/etc/puppetlabs/puppetdb/ssl/${shellquote($primary_target.peadm::certname())}.cert.pem \
+         sslkey=/etc/puppetlabs/puppetdb/ssl/${shellquote($primary_target.peadm::certname())}.private_key.pem \
+         sslrootcert=/etc/puppetlabs/puppet/ssl/certs/ca.pem \
+         dbname=pe-${shellquote($name)}"
+      | CMD
+  }
+
+  run_command(@("CMD"/L), $primary_target)
+    umask 0077 \
+      && cd ${shellquote(dirname($backup_directory))} \
+      && tar -czf ${shellquote($backup_directory)}.tar.gz ${shellquote(basename($backup_directory))} \
+      && rm -rf ${shellquote($backup_directory)}
+    | CMD
+# lint:endignore
+  return({ 'path' => "${backup_directory}.tar.gz" })
+}